Need to allow an external DNS to reply with an internal (ie. private) address



  • For silly reasons, I need to allow DNS queries for an "outside" domain to map to an internal IP address. For example, blah.bloo.com (which isn't ours) might come back as 192.168.1.7. It seems like the way pfSense configures dnsmasq doesn't allow those sorts of queries, which seems sensible from a security perspective.

    Does dnsmasq do this sort of filtering? Anyone have a suggestion (other than "Don't do that!")?



  • Have you looked at Services -> DNS Forwarder scroll down to Host Override and Domain Override?



  • You should be able to use a domain override in that case, that rule doesn't apply to domain overrides. That's much safer than just disabling the DNS rebinding checks entirely, though you can do that under System>Advanced if you really want to.



  • @cmb:

    You should be able to use a domain override in that case, that rule doesn't apply to domain overrides. That's much safer than just disabling the DNS rebinding checks entirely, though you can do that under System>Advanced if you really want to.

    Have I got this right? Just override all DNS queries to the problem domain to…some outside DNS server. I can give that a try in a hurry.

    DNS rebinding! That's the term for it. I knew I'd read about it somewhere. Probably in The Book.

    No, I'd rather employ the work-around than disabling DNS rebind checks. Thanks for the tip.


Log in to reply